For this post, I would like to share the knowledge and skills that I just acquire by doing this machine. Attacktive Directory is an old machine and there might already have a lot of walkthrough on this machine out there.


To be frankly honest, I didn’t have the knowledge on how to do Penetration Testing or Security Testing on Active Directory where it normally uses Domain Controller on its infrastructure. So, this room will be my first encounter in this environment


As mentioned in the screenshot above, this room was been created by Sq00ky and this room also have been released around 396 days ago.


Let’s Started!


As usual, we need to deploy the machine by clicking the deployed machine as shown above.


For the first task, we are required to download the tools that will be used in this activity.


In order to download and install the tool into our machine, we need to use the command

git clone https://github.com/Sq00ky/attacktive-directory-tools.git


Once the download completed, you will give permission to the Kerberos tools that located inside the attacktive-directory-tools folder as shown below:


While looking at what we got in this attacktive-directory-tools folder, we are lucky to have impackets been include as well.


So, Let’s install impackets too while we’re in it. We will be starting by unzipping the impacket-master.zip and move the unzipped folder to /opt/ directory


After the unzip progress finish, you will need to do some install on the requirement by running the command as follows:

pip3 install -r /opt/impacket-master/requirement.txt


After the python modules have been successfully installed in the machine, we can start the python by execute the python script such as below:

cd /opt/impacket-master/ && python3 ./setup.py install


Once all the installation above been completed, we can start gathering information on the machine by running nmap -sV -sC <IP Address> -pn as usual


From the output that we see, we can see that NetBIOS_Domain_Name is THM-AD and DNS_Domain_name is spookysec.local. Aside of that, we also know the NetBIOS_Computer_Name which is ATTACKTIVEDIREC


We can already answer a few question that required us to answer based on the nmap result above.


What tool will allow us to enumerate port 139/445?


To answer the question mentioned above, there’s a lot of tools that we can use just to enumerate port 139/445. Those tools are as follows:

  • nmap
  • enum4linux (This will be the answer for this question)
  • nbtscan

For the upcoming question for this activity, we might need to use kerbrute by running ./kerbrute


To get the username of the machine can used the command


./kerbrute userenum –dc <IP Address> -d spookysec.local userlist.txt -t 100


From what i can digest on the result, there’s two notable username that we can use here which is svc-admin@spookysec.local and backup@spookysec.local


After the user account information gathering is completed, we can use the attack method that resides inside Kerberos features which called AS-REP Roasting where you can later see the output of this. Now, we know the user and we only need to gain password for the svc-admin.


For this activity, we are lucky because Impacket has a tool called “GetNPUsers.py which will help us to query AS-Reproastable accounts from the Key Distribution Center.


The command that we can use here are

GetNPUsers.py -no-pass -dc-ip <IP Address> spookysec.local/svc-admin


The output didn’t show anything that we can see because i have saved the output in .txt format so that we can use the it when we use hashcat


The screenshot below shown the result that we have successfully execute above


There’s a question about the hash mode. Let’s do some research on this.


The first website link that we should be looking into which it might help answer the question


Let’s open the website together!


Wow! There’s a lot of hash-mode that stored in the website.


What are we looking for?


$krb5asrep$23$user


This is my first time doing research on hashmode. So, Let’s moving on into the next challenge in this room.


We have most of the requirement to run the hashcat on this room. The command we be using on hashcat would


hashcat -m 18200 -a 0 svc-admin.txt passwordlist.txt –force


Now, we got the password for the username svc-admin


We will need to get the SMB share on the machine by running the command

smbclient -l <IP Address> -U ‘svc-admin’


The system will be asking for credentials of svc-admin where we already get the credentials in the previous task.


As we can see on the screenshot above, we can verify that SMB share been listed as follows:

  • ADMIN$
  • backup
  • CS
  • IPC$
  • NETLOGON
  • SYSVOL

There’s one SMB share that caught my attention which is backup. So let’s dive into that by running the command

smbclient //<IP Address>/backup -U ‘svc-admin’


To view the file that resides in this Backup directory can use the command “ls”


Let’s download the backup_credentials.txt and analysis the file by use the command get backup_credentials.txt


Let’s check what is written inside the backup_credentials.txt by running the syntax

cat backup_credentials.txt


On first glance, we notice that it was base64 hash. So, let’s go and run base64 -d backup_credentials.txt


For the next question, we need to use ‘secretdump.py’ that inside the impacket-master/example folder


For us to answer about the method use to get NTS.DIT and NTLM hashes for the administrator, we need to run the syntax

secretdump.py -just-dc backup:backup2517860@<IP Address>


Honestly, i don’t know the answer for the question below.

Q3 — What method of attack could allow us o authenticates as the user without the password?


Don’t be shame to just google the answer which lead to the answer pass the hash method


In order to use evil-winrm, the option that we can use to crack hash is -H


Finally, we are doing the last challenge on this room.


To pass this challenges, we will need to use the tools evil-winrm.


The command that we be using here evil-winrm -i <IP Address> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc


*Hashes might be different for other players


For each user, we need to access /user account/Desktop in order to retrieve the flag

-THE END-


Happy Learning Guys!